Users will now need to be wary of the fake TikTok app and free Laptop offers spreading through WhatsApp and some online websites. According to a report by the researchers at Zscaler, malicious android apps dubbed as TikTok and fake offers for free Lenovo laptops are being used in initiating adware attacks against devices.

The socially-engineered messages lure users into downloading the fake versions of the TikTok app. Another scam lures users into believing that they’ve won a free Lenovo laptop and provide their personal information to claim the prize.

“The detected malware has features common to previously reported malware i.e. it follows a similar method of persistence, and propagation by using the victim’s contact information,” says Deepen Desai, CISO at Zscaler. “The attack campaign is fairly targeted and leverages trusted resources like Weebly and GitHub for distributing the malicious content to the victims,” he added.

The team at Zscaler observed more than about 200 malicious Android apps that used themes related to current affairs. Cybercriminals trigger the attack using an SMS or a WhatsApp message that contains a link for users to click on. Once clicked on, the link takes the user to a site hosted by Weebly.

The original download request contained a user string “Whatsapp/2.21.4.22”, which indicates that the link was clicked by a user in a Whatsapp message. Additional URLs being used were: “https://tiktokplus[.]weebly.com/,” a shortened link: “http://tiny[.]cc/Tiktok_pro, https://tiktokplus[.]weebly.com/,” and a Github download link “https://github.com/breakingnewsindia/t1/raw/main/Tiktik-h[dot].apk.” 

Once a user clicks on these URLs, they reach a malicious site where the attacker entices a user into downloading an android package file. On the other hand, the Lenovo themed attack, the apk file calls datalaile.class that asks users for permission. If the user denies permission, an error message is displayed stating “Need Permission to Start the App!!” Once permissions are obtained, a form asking for a username and password details is displayed on-screen.

The next chain of attacks is followed by spreading the malware as deep as possible and retrieving the maximum amount of personal information. In the case of TikTok, users are asked to spread the download link further to 10 contacts. Once the user shares the message with 10 contacts, the app calls clickendra.class that displays ads with a final message saying “TikTok will start in 1 hour.”

Such apps are used by cybercriminals to generate revenue through advertisements using two software development kits(SDKs). If one SDK fails to retrieve ads, the second SDK is run as a fail-over mechanism. These SDKs were observed and came out to be AppLovin and StartApp.

A fake view is created for the user that contains a fake text message and a progress bar. After setting these things, a request to fetch ads is sent. If the ad is received successfully, it is run and the progress bar is hidden, else a request to run the next ad in sequence is sent. This cycle keeps on repeating itself.

Researchers further suggested users to be aware of such threats and take accurate measures to protect themselves. It is prudent to only download apps from trusted app stores like Google Play or App Store and ditching third-party app stores. Furthermore, deleting any messages that contain suspicious links will help protect your personal data and privacy as well.